Official Phoenix Discussion

system · March 5, 2022, 3:00pm

Official discussion thread for Phoenix. Please do not post any spoilers or big hints.

Jocker · March 6, 2022, 4:02am

anyone find any foothold

timrashed · March 6, 2022, 6:27am

I found a vuln but it’s slow and i am not sure if it will merit any fruits

timrashed · March 6, 2022, 7:20am

Was able to laterally move but sadly didn’t get any more privileges. Will keep hammering

BrickedWindows · March 6, 2022, 3:09pm

Let me preface with a warning that I’m new and still learning but here are my thoughts/experiences:

Comment fields seem to be sanitized. Looks like you may need to have author privs.
My only thought is to throw rockyou at ph*ix and jsth but didn’t have luck after a couple hours.

Please share your opinions on my methodology and what you guys are thinking

mattzq · March 6, 2022, 4:22pm

Oh thats why the servers are so slow lol. I don’t think you have to brute force any logins. Enumeration of the running application should get you the foothold.

I didn’t get any further than that though.

billbrasky · March 6, 2022, 6:26pm

Yeah, no brute forcing needed. But this is horribly slow, even when you know what info you’re after. I had to give up because things were taking too long trying to get some specific info. I wonder if I’m missing a better technique.

tec · March 7, 2022, 12:21am

Got admin credential, but blocked by 2fa.

timrashed · March 7, 2022, 3:02am

Same here, I even got the OTP but it doesn’t work

clure · March 7, 2022, 8:44am

Same point…
Got 3 creds / 2 require 2FA / 1 is not that interesting
Can’t yet bypass 2FA though… I think I know how to do it … but if anybody has any idea how to speed up the enumeration process…

… it’s so slow …

tec · March 7, 2022, 1:22pm

Same. i’ve verified that the http time skew is within tolerance.

clure · March 7, 2022, 7:48pm

After spending hours to find t…p, I did find it (in a weird place btw). but I systematically get ‘invalid code’ when I try to use it…
My box is in sync with the target
This is starting to bore me a great deal now… If someone has any idea?

clure · March 9, 2022, 10:50am

Rooted. Thx a lot to @timrashed for your help

OTP seems to be a rabbit hole, which I think is a shame, it was a nice way to get in

Sogeking · March 11, 2022, 6:46am

Finally rooted the box, thanks @clure for the helps.

User is really hard for me. Root requires some enum but it’s easy to exploit.

Sogeking · March 11, 2022, 2:55pm

Check carefully where the 2FA is used.

tec · March 13, 2022, 2:28am

Great hint! thanks.

Finally got foothold. annoying 2FA (again).

happyhackerhour · March 16, 2022, 9:51pm

Thx for the HInt Guys!

im stuck on the 2FA part. i read in the treath that the 2FA/OTP is a dead end?

any pointers as to how to proceed? i have the admin creds, but cannot bypass 2FA.

thanks

bolazoo · March 19, 2022, 10:21pm

stuck on 2fa part too, any nudge to right direction would be appreciated!

Tnr1112 · March 29, 2022, 1:02pm

You could dm me on discord.

k4m1ll0 · April 1, 2022, 12:33pm

Rooted.